# CSE-CIC-IDS 2017 Exploratory Data Analysis

In [1]:
import numpy as np
import pandas as pd
import matplotlib.pyplot as plt
import seaborn as sns
from tqdm import tqdm

import glob

In [2]:
NOTEBOOK_PATH = "D:/Delta Stuff/Scifair20/"

In [3]:
f_names = glob.glob(NOTEBOOK_PATH + "IDS2017/MachineLearningCVE/*.csv")
df = pd.concat(tqdm(pd.read_csv(f) for f in f_names))

  sort=sort,
  sort=sort,
8it [00:12,  1.54s/it]


In [4]:
df.reset_index(drop=True, inplace=True)

In [5]:
df.columns = list(map(lambda x: x.strip(), df.columns))

In [6]:
# Remove variables with no variance
remove_vars = []
for i in tqdm(range(len(df.columns))):
    col = df.columns[i]
    unique = df[col].unique()
    if len(unique) <= 1:
        remove_vars.append(col)

100%|██████████████████████████████████████████████████████████████████████████████████| 79/79 [00:04<00:00, 19.51it/s]


In [7]:
remove_vars

['Bwd PSH Flags',
 'Bwd URG Flags',
 'Fwd Avg Bytes/Bulk',
 'Fwd Avg Packets/Bulk',
 'Fwd Avg Bulk Rate',
 'Bwd Avg Bytes/Bulk',
 'Bwd Avg Packets/Bulk',
 'Bwd Avg Bulk Rate']

In [8]:
df.drop(remove_vars, axis=1, inplace=True)

In [9]:
df.shape

(2830743, 71)

In [10]:
df.drop(["Flow Bytes/s", "Flow Packets/s"], axis='columns', inplace=True)

In [11]:
df.shape

(2830743, 69)

# Standardize data

In [12]:
from sklearn.preprocessing import PowerTransformer

In [13]:
scaler = PowerTransformer(method='yeo-johnson', standardize=True)

In [14]:
x_df = df.drop("Label", axis=1)
y_df = df.loc[:, "Label"]

In [15]:
x_df_ptscaled = scaler.fit_transform(x_df, y_df)

In [16]:
scaled_summary = pd.DataFrame(x_df_ptscaled, columns=x_df.columns).describe()
scaled_summary

Unnamed: 0,Destination Port,Flow Duration,Total Fwd Packets,Total Backward Packets,Total Length of Fwd Packets,Total Length of Bwd Packets,Fwd Packet Length Max,Fwd Packet Length Min,Fwd Packet Length Mean,Fwd Packet Length Std,...,act_data_pkt_fwd,min_seg_size_forward,Active Mean,Active Std,Active Max,Active Min,Idle Mean,Idle Std,Idle Max,Idle Min
count,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0,...,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0,2830743.0
mean,5.614575e-17,-5.294087e-16,-1.481637e-15,-7.895848e-16,-6.103742e-16,4.526701e-16,-2.06912e-16,-5.198502e-16,-1.929056e-15,1.91008e-16,...,-6.024222e-18,-1.909197e-15,-2.522141e-16,8.514234000000001e-18,2.3775600000000002e-17,1.824135e-16,8.731106e-17,-3.527785e-16,-2.910904e-16,1.681963e-16
std,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,...,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0,1.0
min,-8.085491,-22.86645,-1.30401,-1.655424,-1.617208,-1.34954,-1.591983,-0.9953509,-1.640853,-0.7155903,...,-1.200386,-27.52211,-0.4925726,-0.2797894,-0.4923377,-0.4926216,-0.5006239,-0.2968475,-0.5006238,-0.5006238
25%,-0.8738939,-0.8876095,-0.2338725,-0.4381973,-0.5559671,-1.34954,-0.6855578,-0.9953509,-0.6405733,-0.7155903,...,-1.200386,-0.9087109,-0.4925726,-0.2797894,-0.4923377,-0.4926216,-0.5006239,-0.2968475,-0.5006238,-0.5006238
50%,-0.5280598,0.1134869,-0.2338725,0.1225253,0.1168017,0.1793477,0.1106896,-0.1864637,0.3389061,-0.7155903,...,0.1163599,-0.3832149,-0.4925726,-0.2797894,-0.4923377,-0.4926216,-0.5006239,-0.2968475,-0.5006238,-0.5006238
75%,0.5271538,0.9319696,0.8888288,0.702943,0.5919397,0.579186,0.4752672,1.140584,0.5905137,1.240967,...,0.6579127,0.8493489,-0.4925726,-0.2797894,-0.4923377,-0.4926216,-0.5006239,-0.2968475,-0.5006238,-0.5006238
max,1.713337,1.538709,2.168643,3.041949,5.883933,4.035647,3.233995,2.329224,4.685579,1.704225,...,2.511256,34.92139,2.093608,3.57614,2.098229,2.092428,2.006166,3.369526,2.006018,2.006746


In [17]:
y_df_group = y_df.copy()

for i in tqdm(range(len(y_df_group))):
    attack = y_df_group[i]
    group = attack
    if attack in ("DoS Hulk", "DoS GoldenEye", "DoS slowloris", "DoS Slowhttptest"):
        group = "DoS"
    elif attack.startswith("Web Attack"):
        group = "Web Attack"
    elif attack == "FTP-Patator":
        group = "Brute Force FTP"
    elif attack == "SSH-Patator":
        group = "Brute Force SSH"
    
    y_df_group[i] = group

In [23]:
y_df.value_counts()

BENIGN                        2273097
DoS Hulk                       231073
PortScan                       158930
DDoS                           128027
DoS GoldenEye                   10293
FTP-Patator                      7938
SSH-Patator                      5897
DoS slowloris                    5796
DoS Slowhttptest                 5499
Bot                              1966
Web Attack � Brute Force         1507
Web Attack � XSS                  652
Infiltration                       36
Web Attack � Sql Injection         21
Heartbleed                         11
Name: Label, dtype: int64

In [19]:
y_df_group.value_counts()

BENIGN             2273097
DoS                 252661
PortScan            158930
DDoS                128027
Brute Force FTP       7938
Brute Force SSH       5897
Web Attack            2180
Bot                   1966
Infiltration            36
Heartbleed              11
Name: Label, dtype: int64

In [22]:
y_df_enc = pd.get_dummies(y_df_group)

In [23]:
y_df_enc

Unnamed: 0,BENIGN,Bot,Brute Force FTP,Brute Force SSH,DDoS,DoS,Heartbleed,Infiltration,PortScan,Web Attack
0,1,0,0,0,0,0,0,0,0,0
1,1,0,0,0,0,0,0,0,0,0
2,1,0,0,0,0,0,0,0,0,0
3,1,0,0,0,0,0,0,0,0,0
4,1,0,0,0,0,0,0,0,0,0
5,1,0,0,0,0,0,0,0,0,0
6,1,0,0,0,0,0,0,0,0,0
7,1,0,0,0,0,0,0,0,0,0
8,1,0,0,0,0,0,0,0,0,0
9,1,0,0,0,0,0,0,0,0,0
